MARATHON COUNTY Wausau, Wisconsin

COMMUNICATION TO THOSE CHARGED WITH GOVERNANCE AND MANAGEMENT

As of and for the Year Ended December 31, 2015

MARATHON COUNTY

TABLE OF CONTENTS

Page No. Required Communication of Internal Control Related Matters Identified in the Audit to Those Charged with Governance 1 Internal Control Environment Over Financial Reporting 2 Decentralized Activities – Central Wisconsin Airport 3 Treasurer’s Office 3 – 4 Information Technology 4 – 6 Other Communications to Those Charged with Governance Two Way Communication Regarding Your Audit 7 – 9 Communication of Other Control Deficiencies, Recommendations and Informational Points to Management that are not Material Weaknesses or Significant Deficiencies 10 – 17 Required Communications by the Auditor to Those Charged with Governance 18 – 22 Management Representations

REQUIRED COMMUNICATION OF INTERNAL CONTROL RELATED MATTERS IDENTIFIED IN THE AUDIT TO THOSE CHARGED WITH GOVERNANCE

Baker Tilly Virchow Krause, LLP Ten Terrace Ct, PO Box 7398 Madison, WI 53707-7398 tel 608 249 6622 fax 608 249 8532 bakertilly.com

Page 2

Auditing standards require that we perform procedures to obtain an understanding of your government and its internal control environment as part of the annual audit. This includes an analysis of significant transaction cycles and an analysis of the year-end financial reporting process and preparation of your financial statements. INTERNAL CONTROL OVER FINANCIAL REPORTING Properly designed systems of internal control provide your organization with the ability to process and record monthly and year-end transactions and annual financial reports. Our audit includes a review and evaluation of the County’s internal controls relating to financial reporting. Common attributes of a properly designed system of internal control for financial reporting are as follows:

> There is adequate staffing to prepare financial reports throughout the year and at year-end.

> Misstatements are identified and corrected during the normal course of duties.

> Complete and accurate financial statements including footnotes are prepared.

> Complete and accurate schedule of expenditures of federal and state awards is prepared.

> Financial reports are reviewed for completeness and accuracy. Our evaluation of the internal controls over financial reporting has identified control deficiencies that are considered significant deficiencies surrounding the preparation of financial statements and footnotes (including the schedule of expenditures of federal and state awards), adjusting journal entries identified by the auditors, and an independent review of financial reports. Management has not prepared financial statements that are in conformity with generally accepted accounting principles and misstatements in the general ledger and the schedule of expenditures of federal and state awards were identified during the audit. This level of internal control over financial reporting can be a difficult task for governments that operate with only enough staff to process monthly transactions and reports, and often engage their auditors to propose certain year-end audit entries and prepare the financial statements. Management’s Response The County has implemented procedures for county personnel that prepare the financial statements to review transactions and accounts so that the financial statements would be free of any material errors. The County reviewed transactions and accounts that met transaction dollar limits, reviewed transactions during the year and completed additional pre-audit work to verify all transactions were appropriate. The County takes the accuracy of its financial reporting very seriously and will continue to strive to create financial statements that are free of material misstatement. The Finance Department staff does attend GFOA and other governmental accounting training and maintains the knowledge and ability to complete the financial statements in house. If in the future additional resources become available, the County will review the final financial transactions and entries and develop the comprehensive annual financial report in house.

Page 3

DECENTRALIZED ACTIVITIES – CENTRAL WISCONSIN AIRPORT The Central Wisconsin Airport (CWA) invoices throughout the year for items such as terminal space leasing, fuel sales, hangar lease, and other items. Payments are sent directly to CWA and deposited by CWA staff once per month. Deposited amounts are in excess of $100,000 per month. We recommend the County and CWA determine if payments could be sent directly to the County Treasurer’s office for daily deposit. If this is not possible the collections at CWA should be deposited on a more frequent basis.

Current Year Status This comment was still valid for a majority of 2015. In December 2015, the Airport updated their invoices to direct the payee to send checks to the Treasurer’s department for the January 2016 billing and beyond. Management’s Response The County changed its Accounts Receivable billing practices and as of the end of 2015, the Central Wisconsin Airport has had its invoiced payments sent directly to the County Treasurer’s office. The County Treasurer and Finance Director will continue to work with CWA to verify that monthly invoice payments are sent directly to the Treasurer’s office. TREASURER’S OFFICE The County Treasurer’s office has multiple financial responsibilities as defined within Wisconsin State Statutes. Amongst those responsibilities is the collection of delinquent property or real estate taxes as well as performing settlements with the other taxing jurisdictions that collect currently owed taxes. With the significant amount of funds being collected for taxes as well as the importance of correctly settling with the other jurisdictions, it is critical that good internal controls exist throughout the year regarding these responsibilities. We reviewed the procedures and controls in the Treasurer’s office and noted the following areas where controls should be improved:

> During the month of August, the County Treasurer’s office “settles” with other governments that collect taxes throughout the year until this settlement date. As required by statute, the County then makes the other governments whole by paying them the full amount levied, less previous collections. Any remaining uncollected taxes are then assumed by the County and collection efforts are pursued. During this settlement process, the County underpaid two cities the amount they were owed. While it was subsequently discovered by the County, controls should be in place to prevent these types of errors from occurring. All settlements should be prepared by someone with a strong knowledge of this process and independently reviewed prior to settlement.

> The County utilizes a tax collection software system called Land Records. This system accounts for all of the delinquent taxes owed to the County, as well as penalties and interest accrued. Each day, amounts collected by the Treasurer’s office for the various categories are posted to accounts. The subsequent day, the financial activity is provided to the Finance department for posting to Cayenta, the County’s general ledger system. We noted several control deficiencies related to this process, including:

- The amounts reported for tax certificates by tax year in the Land Records system did not agree or reconcile to the amounts reported in Cayenta for several of the years reported. The most significant difference was a $250,549 amount when analyzing the 2013 tax year. Amounts reported in the Land Records system should agree to those reported in Cayenta at all times during the year. Any differences should be investigated in a timely manner and resolved. This control should be established between the County Treasurer’s office as the collecting agent, and the Finance Department since they are responsible for reporting.

Page 4

TREASURER’S OFFICE (cont.)

- The Land Records system is not able to produce historical reports, jeopardizing the

County’s ability to go back in time to resolve differences. We recommend the County work with its software vendor to determine if there is a way for these reports to be generated.

- Transactions posted to the Land Records system are not interfaced with Cayenta so the previous day’s activity must be posted into Cayenta by manual journal entries. The need to manually post entries compared to interfacing systems results in weakened controls over the ability to accurately report and safeguard county tax collections. We recommend the County work with its vendor to determine if interfacing these two system is possible.

- Users of the Land Records system periodically encounter the need to adjust (change) amounts previously posted. These adjustments are not being independently reviewed. We recommend that the County work with the vendor to determine if a report can be generated whereby a review of all adjustments could be performed by someone independent of posting journal entries.

We are available to assist the County with any of these recommendations. Management’s Response The Finance Department will work with the Treasurer’s office to develop a set of procedures to balance the Land Records system with Cayenta. The two systems balanced in past years. The land records application cannot rerun reports from prior dates to verify ending balances, so we will complete the current reconciliation and maintain monthly reconciliations of the two systems. Two items to note on the process of recording receipts from the land records system to Cayenta. Each day amounts collected by the Treasurer’s office for various categories are posted to the accounts (land records). The subsequent day, the financial activity is posted through Cayenta cash receipts by the County treasurer’s office not through the Finance Department. Also transactions posted to the Land Records system are not interfaced with Cayenta so the previous day’s activity must be posted by cash receipt at the Treasurer’s office not through manual journal entries. Lastly, the current Land Records system is old and many of the requested improvements that you suggested are not possible on the system without major programming changes. In 2016, the County is going out for RFP to purchase a new Land Records system and hopefully many of the suggestions that you have listed will be functioning in the new system. INFORMATION TECHNOLOGY As part of our 2015 audit, we evaluated information technology controls as they relate to financially significant applications. Our procedures primarily focused on documenting and evaluating general computer controls, including:

Logical access to data and applications Change and incident management System development and deployment Data backup and recovery

Page 5

INFORMATION TECHNOLOGY (cont.)

From our review, we have identified the following areas where we recommend controls be reviewed and potentially strengthened.

LOGICAL AND PHYSICAL ACCESS SECURITY During our audit we noted that there were several shared system accounts with access to the Cayenta application. There is a risk that accountability cannot be established within Cayenta and that unauthorized users may have access to the financial application. Marathon County should perform a review of accounts with access to Cayenta and ensure that all users have a unique ID. Any generic, shared, temporary, and system accounts should be removed or disabled. We also noted during our testing that there is access to make changes to transactions in Cayenta outside of the application interface. These changes are not logged, and therefore, provide an opportunity for unauthorized changes to be made to the system. We recommend that the County either remove this access, or create a method to log and review these changes. The County should consider implementing a policy to require user account terminations to be handled within a maximum of three business days from last working day. In some cases, terminations in the system should happen within 24 hours. We noted during testing that there was an 8-10 month lag before access was terminated in the system. The County should consider requiring password settings for all applications to be consistent. We noted that passwords for social service and land records applications do not require updating or complex characters. The County should also consider changing settings related to lockouts to three valid attempts for both network and all applications to be in line with best practice standards. There should be a periodic review of application access rights for social services. This should be done at least annually to ensure all user access is necessary and rights are appropriately limited. Management’s Response The County has generic IDs for Cayenta for CPZ, Sheriff and the Clerk. These logins are only used for cash receipting and reporting. The logins have no additional access to Cayenta. We cannot have logins for each person to receipt each transaction; that process would be extremely cumbersome. There are mitigating controls such as the drawers are balanced daily and the deposit is verified in the Treasurer’s office. We have contacted our accounting software vendor to look at how to provide better control over the access to Cayenta outside of the application interface. The proposed procedures that are required for the Finance Department to make changes are quite lengthy and we will look at having Cayenta complete the change or approve the required changes prior to Finance completing the change. Also many of the instances in which the Finance Department has had to make changes outside of the applications, dealt with issues that were problems/bugs in the software applications and CCITC has applied fixes and patches to the Cayenta applications affected which has greatly reduced the need for this type of access. We will need to work with the Employee Resources Department so that they can get termination notices to CCITC and the terminated employee can to be removed from the active directory in a timelier manner. At this time, the Finance Department does verify terminations on a quarterly basis to so that employees can be removed from the Cayenta system. Periodic review of access levels for the social services application will be reviewed as Social Services moves to the new system. The Social Services management team can review the permissions and set up a schedule for periodical review.

Page 6

INFORMATION TECHNOLOGY (cont.)

DATA BACKUP AND RECOVERY

The County performs backups for Cayenta and Social Services applications on a regular basis but these backups are not being tested no a proactive basis. We recommend a formal process be put in place to complete backup restores on a periodic basis to ensure that the backups are functioning as intended. Backups are maintained offsite for two years after either a four or six week period. The County is, therefore, exposed to a higher risk of lost data related to County data during the four to six week period prior to storage and after the two year period of offsite storage is completed. There are a variety of options available for backing up data offsite. This could include cloud technologies or backups to alternate locations that are real-time (rather than backing up to a disk and moving the disk). We recommend that the County reduce the amount of time backups are kept onsite. We noted during our current year testing that a process for monitoring network access and escalating certain security events exists. This point has been resolved since our communication to you last year. Management’s Response Our strategy for testing Cayenta restores is using the same type of back up process as we do for a routine backup to restore test environments. We will look to formalize this process and do an annual test. For Cayenta, there are two nightly disk to disk copies. One is on-site and the other is off-site at the Courthouse. Both of these have a 28 day rotation. In addition, there is a backup to tape that happens nightly and the tape is sent off-site each month. We have 2 years of month end tapes off site. An additional 5 years are in the vault at City Hall. The Active Directory system has complex passwords are the two applications mention (Social Services and Land records) are being replaced and the mitigating control is that you cannot log in to access those two applications without first accessing Active Directory.

OTHER COMMUNICATIONS TO THOSE CHARGED WITH GOVERNANCE

Page 7

TWO WAY COMMUNICATION REGARDING YOUR AUDIT As part of our audit of your financial statements, we are providing communications to you throughout the audit process. Auditing requirements provide for two-way communication and are important in assisting the auditor and you with more information relevant to the audit. As this past audit is concluded, we use what we have learned to begin the planning process for next year’s audit. It is important that you understand the following points about the scope and timing of our next audit:

a. We address the significant risks of material misstatement, whether due to fraud or error, through our detailed audit procedures.

b. We will obtain an understanding of the five components of internal control sufficient to assess the risk of material misstatement of the financial statements whether due to error or fraud, and to design the nature, timing, and extent of further audit procedures. We will obtain a sufficient understanding by performing risk assessment procedures to evaluate the design of controls relevant to an audit of financial statements and to determine whether they have been implemented. We will use such knowledge to:

Identify types of potential misstatements. Consider factors that affect the risks of material misstatement. Design tests of controls, when applicable, and substantive procedures.

We will not express an opinion on the effectiveness of internal control over financial reporting or compliance with laws, regulations, and provisions of contracts or grant programs. For audits done in accordance with Government Auditing Standards, our report will include a paragraph that states that the purpose of the report is solely to describe the scope of testing of internal control over financial reporting and compliance and the result of that testing and not to provide an opinion on the effectiveness of internal control over financial reporting or on compliance and that the report is an integral part of an audit performed in accordance with Government Auditing Standards in considering internal control over financial reporting and compliance. The paragraph will also state that the report is not suitable for any other purpose.

c. The concept of materiality recognizes that some matters, either individually or in the aggregate, are important for fair presentation of financial statements in conformity with generally accepted accounting principles while other matters are not important. In performing the audit, we are concerned with matters that, either individually or in the aggregate, could be material to the financial statements. Our responsibility is to plan and perform the audit to obtain reasonable assurance that material misstatements, whether caused by errors or fraud, are detected.

d. We address the significant risks or material noncompliance, whether due to fraud or error, through our detailed audit procedures.

e. We will obtain an understanding of the five components of internal control sufficient to assess the risk of material noncompliance related to the federal and state awards whether due to error or fraud, and to design the nature, timing, and extent of further audit procedures. We will obtain a sufficient understanding by performing risk assessment procedures to evaluate the design of controls relevant to an audit of the federal and state awards and to determine whether they have been implemented. We will use such knowledge to:

Identify types of potential noncompliance. Consider factors that affect the risks of material noncompliance. Design tests of controls, when applicable, and other audit procedures.

Page 8

TWO WAY COMMUNICATION REGARDING YOUR AUDIT (cont.)

e. (cont.)

Our audit will be performed in accordance with U.S. generally accepted auditing standards, Government Auditing Standards, OMB’s Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), and the State Single Audit Guidelines.

We will not express an opinion on the effectiveness of internal control over financial reporting or compliance with laws, regulations, and provisions of contracts or grant programs. For audits done in accordance with Government Auditing Standards, the Uniform Guidance and the State Single Audit Guidelines, our report will include a paragraph that states that the purpose of the report is solely to describe (a) the scope of testing of internal control over financial reporting and compliance and the result of that testing and not to provide an opinion on the effectiveness of internal control over financial reporting or on compliance, (b) the scope of testing internal control over compliance for major programs and major program compliance and the result of that testing and to provide an opinion on compliance but not to provide an opinion on the effectiveness of internal control over compliance and, (c) that the report is an integral part of an audit performed in accordance with Government Auditing Standards in considering internal control over financial reporting and compliance and the Uniform Guidance and the State Single Audit Guidelines in considering internal control over compliance and major program compliance. The paragraph will also state that the report is not suitable for any other purpose.

f. The concept of materiality recognizes that some matters, either individually or in the aggregate, are important for reporting material noncompliance while other matters are not important. In performing the audit, we are concerned with matters that, either individually or in the aggregate, could be material to the entity’s federal and state awards. Our responsibility is to plan and perform the audit to obtain reasonable assurance that material noncompliance, whether caused by error or fraud, is detected.

g. Your financial statements contain components, as defined by auditing standards generally accepted in the United States of America, certain components which we also audit.

h. In connection with our audit, we intend to place reliance on the audit of the financial statements of the North Central Health Care, a component unit of Marathon County, as of December 31, 2015 and for the year then ended completed by WIPFLI, LLP as well as in future years. All necessary conditions have been met to allow us to make reference to the component auditor.

We are very interested in your views regarding certain matters. Those matters are listed here:

a. We typically will communicate with your top level of management unless you tell us otherwise.

b. We understand that the county board has the responsibility to oversee the strategic direction of your organization, as well as the overall accountability of the entity. Management has the responsibility for achieving the objectives of the entity.

c. We need to know your views about your organization’s objectives and strategies, and the related business risks that may result in material misstatements.

d. Which matters do you consider warrant particular attention during the audit, and are there any areas where you request additional procedures to be undertaken?

e. Have you had any significant communications with regulators or grantor agencies?

f. Are there other matters that you believe are relevant to the audit of the financial statements or the federal or state awards?

Page 9

TWO WAY COMMUNICATION REGARDING YOUR AUDIT (cont.)

Also, is there anything that we need to know about the attitudes, awareness, and actions of the County concerning:

a. The County’s internal control and its importance in the entity, including how those charged with governance oversee the effectiveness of internal control?

b. The detection or the possibility of fraud? We also need to know if you have taken actions in response to developments in financial reporting, laws, accounting standards, governance practices, or other related matters, or in response to previous communications with us. With regard to the timing of our audit, here is some general information. We usually perform preliminary audit work during the months of October-December. Our final fieldwork is scheduled during April and May to best coincide with your readiness and report deadlines. After fieldwork, we wrap up our audit procedures at our office and issue drafts of our reports for your review. Final copies of your report and other communications are issued after approval by your staff. This is typically 6-12 weeks after final fieldwork, but may vary depending on a number of factors. Keep in mind that while this communication may assist us with planning the scope and timing of the audit, it does not change the auditor’s sole responsibility to determine the overall audit strategy and the audit plan, including the nature, timing, and extent of procedures necessary to obtain sufficient appropriate audit evidence. We realize that you may have questions on what this all means, or wish to provide other feedback. We welcome the opportunity to hear from you.

COMMUNICATION OF OTHER CONTROL DEFICIENCIES, RECOMMENDATIONS AND INFORMATIONAL POINTS TO MANAGEMENT THAT ARE NOT

MATERIAL WEAKNESSES OR SIGNIFICANT DEFICIENCIES

Page 10

PRIOR YEAR POINTS

CONFLICTS OF INTEREST We noted during our audit that the County does not currently have a formal process in place to monitor potential conflicts of interest. To reduce the risk of potential conflicts of interest for those associated with decision-making authority within the County, we recommend the County determine if additional procedures and requirements should be implemented. Current Year Status The County has reviewed existing policies and state statutes and determined that they are in compliance with statutory requirements and County policies. This comment is resolved. Management’s Response The County’s Finance Committee reviewed the recommendation by Baker Tilly. It has been determine at this time, the County will use its County Ordinance on Ethics as its guide to monitor conflict of interest.

INTERNAL SERVICE FUNDS The purpose of Internal Service Funds is to account for operations being managed on a cost reimbursement basis. Because the intent of these funds is to facilitate cost allocation, accumulation of resources or deficits over the long term is considered inappropriate. Theoretically, internal service funds would come close to breaking even each year. The County has two Internal Service Funds, the Property Casualty Insurance fund, and the Employee Benefits Insurance fund. Each of these funds has accumulated significant retained earnings. When we first reported this to you in 2010, the Employee Benefits Insurance fund had $10,034,985 of retained earnings at year end, which was about 10 months of expenses. Considering that the County is no longer self-insured for health insurance, the County may want to consider options for these accumulated resources. The Property Casualty Insurance fund had retained earnings in the amount of $6,259,471 at December 31, 2010. This represented approximately ten years’ worth of what the average ($606,735) expenses were for this fund over the previous five years. Based on the significant retained earnings balances at that time, we recommended the County determine if the rates being charged to other funds was appropriate or if they should be adjusted to more accurately represent the cost of providing these services.

Current Year Status The Property Casualty Insurance fund had an increase in its net position of $265,187 for 2015 and the net position is now $8,210,013. The Employee Benefits Insurance fund had an increase in its net position of $170,549 and the net position is now $ 4,876,014. This comment is still valid. Management’s Response Even though the County has chosen to use Group Health Trust to pool its health insurance risk, the County still has the option to self-insure its health insurance in future years. Over the years’ the County has applied over $1.6 Million of its Employee Benefits Retained Earning to offset health insurance premium and fully fund the County’s HRA for the health plan. The Employee Benefit fund net position has gone down substantially since 2010 and the County has a managed plan for using excess net position in the Employee Benefit Fund.

Page 11

PRIOR YEAR POINTS (cont.)

INTERNAL SERVICE FUNDS (cont.)

Management’s Response (cont.) The County continues to use accumulated retained earnings to offset premiums or reserve for liabilities. In the Property Casualty Fund the County does have several claims that may need to have increased reserve allocated in 2016 and we are monitoring these claims and will look at financing any additional accrued liability in this fund with the net position available to offset the liability instead of increasing premiums in future years. For 2015, the County allocated reserves to cover a portion of the increase in property and casualty insurance and will continue to use reserves when appropriate to offset increases in premiums in the future.

DECENTRALIZED CASH COLLECTIONS Many governments collect cash at numerous decentralized locations that are separate from the primary system of accounting procedures and controls. The opportunity for theft is often higher at those locations because one person is frequently involved in most, if not all, aspects of a transaction (i.e. lack of segregation of duties). Examples in your government that fit this situation include:

Clerk of Courts Solid Waste Parks Department Airport Register of Deeds Health Department Sheriff’s Department Highway Management is responsible for designing and implementing controls and procedures to detect and prevent fraud. As a result, we recommend that management review its decentralized cash collection procedures and controls on a periodic basis and make changes as necessary to strengthen the internal control environment. Reviewing the adequacy of the controls is a responsibility of the governing body. Below are example procedures and controls to help mitigate the risk of loss at decentralized cash collection points:

Implement a centralized receipting process with adequate segregation of duties

For cash collections, ensure pre-numbered receipts are being used and all receipts in the sequence are being reviewed by someone other than the person receipting the cash and receipts tie to deposits

Perform surprise procedures at decentralized locations (cash counts, walkthrough of processes, etc.)

Require regular cash deposits to minimize collections on-hand

Limit the number of separate bank accounts

Segregate duties as much as possible – the person receipting cash should be separate from the person preparing deposits and the person reconciling bank accounts should be separate from the cash collection activity

Page 12

PRIOR YEAR POINTS (cont.)

DECENTRALIZED CASH COLLECTIONS (cont.)

Perform month-to-month or year-to-year comparisons to look for unusual changes in collections

If collecting from a drop box site, consider sending two people to collect the funds, especially during peak times

As always, the cost of controls and staffing must be weighed against the benefits of safeguarding your assets.

Current Year Status These comments are still valid.

Management’s Response The County will look at ways to develop internal controls over cash collections. In many of the departments that you listed, there are separate accounting, case management, or cash receipting systems that function specifically for the departments individual requirements. The County’s main cash collection system will not meet the needs of those specific departments. In the rest of the departments the departments, balance the drawers on a daily basis, send their invoice payment to the Treasurer’s office and make timely deposits. We will continue to review the procedures associated with cash collections to strengthen internal controls.

INFORMATIONAL POINTS

CYBER RISK ASSESSMENT Cybersecurity is a growing challenge for many governments as threats and vulnerabilities constantly evolve. Information security is a significant issue for many organizations and is no longer considered to be strictly an Information Technology (IT) issue. The potential impacts of a security breach can be financial, operational, and reputational. Cyber risk should be a high priority and evaluated on a regular basis. Security breaches can come in a number of forms, which are continually evolving with advances in and increased use of technology. It is important for governments to assess what types of information they have that are vulnerable to cyber-attack. Items to consider include processing, collecting, and/or storing personal information about employees, taxpayers, and/or customers. Social security numbers, bank accounts, addresses, medical information, birth dates, and credit cards are all common examples of information existing in systems of governmental entities. In addition, general ledger data and other supporting files can be compromised. Several instances of ransomware have been reported in governmental entities like yours during the last year. Ransomware restricts access to your files and demands a ransom to the malware operator in order to release the restriction. It is important to take inventory of all the information that flows through your systems in order to properly secure your data. We recommend performing a cyber risk assessment to align the internal controls and processes with the organizational objectives, initiatives, resources, and risk appetites with regards to cyber risk. We have cybersecurity experts on staff that are available to assist with this assessment.

Management’s Response Our IT group, CCITC, did a penetration test in early 2015. The Marathon County Employee Credit Union has one done on their portion of the network on a quarterly basis and additionally we have our test environment tested with the Nessus product. For each of these tests, we have addressed any outstanding critical and high importance issues.

Page 13

INFORMATIONAL POINTS (cont.)

HIPAA RISK ASSESSMENT With data breaches on the rise, the US Department of Health and Human Services (HHS) Office of Civil Rights (OCR) has ramped up auditing and enforcement of Health Insurance Portability and Accountability Act (HIPAA) compliance in recent years. What they have found is that many organizations are not doing enough to protect Electronic Protected Health Information (ePHI). One of the most common findings identified by HHS OCR is the lack of a thorough and documented risk assessment. The HIPAA Security Rule requires that organizations in accordance with the Code of Federal Regulations 45 §164.308(a)(1)(ii)(A) “Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information ...”. HHS OCR has indicated this risk assessment should be documented and performed at least annually. Breach notification to HHS OCR is required when ePHI is exposed. When HHS OCR investigates such breaches, the documentation for the organization’s latest risk assessment is often one of the first requests by HHS OCR for their review. We recommend you perform and document the required HIPAA risk assessment. We are available to assist you with this process.

Management’s Response CCITC participated in a HIPAA audit for NCHC in 2014 that audit reviewed our key enterprise systems such as Active Director and our remote access technology. We are evaluating the risks and merits of a County-wide HIPAA audit and County leadership will make a determination by September 30, 2016, if we wish to pursue a HIPAA Risk audit or not.

GOVERNMENT FRAUD PREVENTION AND DETECTION: NOW IS THE TIME TO ACT

When it comes to preventing and detecting fraud in government, being proactive is critical. In fact, government is the second most likely industry to be impacted by fraud. According to the audit standards, the primary responsibility for the prevention and detection of fraud rests with both those charged with governance of the entity and management. To get started, your government should conduct a fraud risk assessment to identify where and how fraud might occur and what individuals may be in a position to commit fraud. Once you’ve identified your entity’s fraud risk areas, the next step is to develop a fraud risk assessment and investigation policy. As you begin your fraud risk assessment or develop tools to prevent and detect fraud, it is important to keep in mind the following information provided by the Association of Certified fraud Examiners:

> Misappropriation of assets accounts for 80 percent of fraud

> The primary internal control weaknesses observed are lack of internal controls, lack of management review, override of existing internal controls and poor tone at the top

> A tip is the most effective tool to catch a fraudster followed by management review

> The professional requirements and objectives of a financial audit are different than a forensic audit. Due to the nature of a financial audit, less than 10 percent of frauds have been discovered as a result of a financial audit conducted by an independent accounting firm.

If your government has not gone through a fraud risk assessment or does not have a plan to prevent and detect fraud, we recommend that this be done and then updated on a regular basis. We are available to assist you with this process.

Page 14

INFORMATIONAL POINTS (cont.)

GOVERNMENT FRAUD PREVENTION AND DETECTION: NOW IS THE TIME TO ACT (cont.)

Management’s Response In 2014, the County approved the Finance Committee as the County’s Risk Assessment Committee and we will review your suggestions and look at strengthen our Fraud Risk Assessment plan in 2016.

NEW RESOURCES FOR STATE AND LOCAL GOVERNMENT BOARDS

In recent years, our clients have told us that the roles of their board members have become increasingly demanding. Expectations and accountability are at all-time high and the knowledge required to be an effective board member is substantial. For these reasons, we have compiled a number of resources dedicated to educating state and local government board members. Go to our website www.bakertilly.com and click on the State and Local Government page. Included in the “insights” section at the bottom of the State and Local Government page are four quick-hitting, informative videos:

1. Government financial statements 101 2. Understanding your government’s fraud risk 3. Financial ratios and benchmarks 4. Fund balance and other financial policies

Also included are links to other videos, case studies and news / events that you might find of interest. We encourage you to subscribe to our complimentary newsletter “Government Connection” to stay abreast of the latest issues impacting state and local governments. You can do so by clicking on the “subscribe” button and indicating "State and Local Government" as an area of interest on the subscription form. Also, if you or your board members have suggested topics to feature on our Board Governance webpage or Government Connection newsletter, we invite you to submit your ideas in person or online.

INTERPRETING YOUR FINANCIAL STATEMENTS POST-GASB NO. 68 Now that your financial statements reflect the new pension requirements of GASB Statement No. 68, what has changed and how do you interpret this new information? In summary, GASB Statement No. 68 required governmental entities participating in the Wisconsin Retirement System (WRS) to report their proportionate share of the plan’s activity and net pension asset. As of the December 31, 2014 measurement date used for your 2015 financial statements, WRS reported total resources available to provide pension benefits of $92.1 billion. They also reported a total liability for pensions of $89.7 billion. This resulted in a net pension asset of $2.4 billion. Your government’s proportionate share of the asset is $6,165,255 and is reported as a restricted asset. There are also pension-related deferred outflows or inflows due to timing of contributions and smoothing of activity. Pension activity under GASB Statement No. 68 is report in the government-wide financial statements and proprietary fund financial statements, similar to long-term debt. The implementation of this new standard does not affect how you fund or pay for your pension contributions to the WRS. The accounting and reporting of pensions has become more complex with the implementation of GASB Statement No. 68. We are available to answer any questions on how this new accounting standard affects your financial statements.

Page 15

INFORMATIONAL POINTS (cont.)

GASB UPDATES

The following is a schedule of GASB projects:

Task or Event Effective Date Impact GASB 72 – Fair Value Measurement and Application

For financial statements for periods beginning after June 15, 2015

Items that are now subject to fair value measurement that weren’t before: private equity/hedge funds, real estate investments, many investments that were previously carried at cost or under the equity method, derivatives will now be measured using exit price, donated long term assets. Does not affect money markets, investments in 2a7-like pools, or assets held by the government that enhance the ability to provide services.

GASB 73 – Accounting and Financial Reporting for Pensions and Related Assets That Are Not within the Scope of GASB 68, and Amendments to Certain Provisions of GASB Statements 67 and 68

For fiscal years beginning after June 15, 2016 for pensions that are not within the scope of GASB 68. For fiscal years beginning after June 15, 2015 for pensions within the scope of GASB 67 and 68.

Part I extends the approach of GASB 68 to all pensions (with some modifications. Part II clarifies certain requirements of GASB 67 and 68.

GASB 74 – Financial Reporting for Postemployment Benefit Plans Other Than Pension Plans and GASB 75 – Accounting and Financial Reporting for Postemployment Benefits Other Than Pensions

GASB 74: For fiscal years beginning after June 15, 2016 GASB 75: For fiscal years beginning after June 15, 2017

These standards have similarities to the previous OPEB standards, most notably the definition of an OPEB and the option of the alternative measurement method for small governments. However, the calculation and reporting of the OPEB liability and various required disclosures will change under the new standards, becoming similar to the pension standards.

GASB 76 – The Hierarchy of Generally Accepted Accounting Principles for State and Local Governments

For reporting periods beginning after June 15, 2015

Officially established accounting principles – GASB statements (Category A) and GASB Technical Bulletins, implementation guides and literature of the AICPA cleared by the GASB (Category B)

Page 16

INFORMATIONAL POINTS (cont.)

GASB UPDATES (cont.)

Task or Event Effective Date Impact

GASB 77 – Tax Abatement Disclosures

For financial statements for periods beginning after December 15, 2015

Tax abatements are a reduction in tax revenue that has the following characteristics: (1) An agreement between one or more governments and an individual or entity in which: (a) one or more governments promise to forgo tax revenues to which they are otherwise entitled and; (b) the individual or entity promises to take specific action after the agreement has been entered into that contributes to economic development or otherwise benefits the governments or the citizens of those governments.

This definition is limited and excludes many incentive and other programs because they do not meet one or more of the requirements.

GASB 78 – Pensions Provided through Certain Multiple-Employer Defined Benefit Pension Plans

For reporting periods beginning after December 15, 2015

This addresses a specific issue regarding the ability of state and local governmental employers to obtain necessary information related to pensions that are provided through certain multiple-employer benefit pension plans that are not a state or local governmental pension plan.

GASB 79 – Certain External Investment Pools and Pool Participants

For reporting periods beginning after June 15, 2015, except for certain provisions on portfolio quality, custodial credit risk, and shadow pricing, which are effective for reporting periods beginning after December 15, 2015

It establishes criteria for an external investment pool to qualify for making the election to measure all its investments at amortized costs for financial reporting purposes.

Current Agenda Project: Blending Requirements for Certain Component Units

Proposed effective date – June 30, 2017 (Exposure Draft issued in June 2015)

The objective of this project is to improve financial reporting by addressing issues related to inconsistent presentation of certain component units in financial reporting of governments.

Current Agenda Project: Pension Issues

Proposed effective date – June 30, 2017 (Exposure Draft issued in December 2015)

The object of this project is to consider the need for revisions to certain of the requirements in GASB 67 and 68, as a result of issues raised by stakeholders.

Page 17

INFORMATIONAL POINTS (cont.)

GASB UPDATES (cont.)

Task or Event Effective Date Impact

Current Agenda Project: Irrevocable Split-Interest Agreements

Proposed effective date – December 31, 2017 (Exposure Draft issued in June 2015)

The objective of this project is to determine what accounting and financial reporting guidance, if any, should be established for irrevocable split-interest agreements held for the benefit of governmental entities.

Current Agenda Project: Fiduciary Activities

Proposed effective date – December 31, 2018 (Exposure draft issued December 2015)

This project is to develop guidance regarding whether and how governments should report fiduciary activities in their general purpose external financial reports.

Current Agenda Project: Asset Retirement Obligations

Proposed effective date – December 31, 2018 (Exposure Draft issued in December 2015)

The objective of this project is to improve financial reporting by developing requirements on recognition and measurement for asset retirement obligations, other than landfills.

Current Agenda Project: Leases

The GASB Board is scheduled to issue an Exposure Draft in January 2016

The objective of this project is to reexamine issues associated with lease accounting, considering improvements to existing guidance.

Current Agenda Project: Certain Extinguishments Using Existing Resources

The GASB Board is scheduled to issue an Exposure Draft in August 2016

The project will consider improvements to the existing guidance related to debt extinguishments using existing resources. Debt extinguishments connected with troubled debt restructurings and bankruptcy, which are addressed in other pronouncements, are not included.

The GASB has a project on hold (conceptual framework for recognition) pending the reexamination of the financial reporting model. The GASB revisits GASB standards ten (10) years after issuance. The GASB is currently revisiting GASB Statement No. 34, Basic Financial Statements – and Management’s Discussion and Analysis for State and Local Governments, as well as reporting model-related pronouncements including Statements Nos. 37, 41, and No. 46 and Interpretation No. 6, Recognition and Measurement of Certain Liabilities and Expenditures in Governmental Fund Financial Statements. The GASB has indicated that they are revisiting the following major provisions of these standards: management’s discussion and analysis, government-wide financial statements, fund financial statements, capital asset reporting, budgetary comparisons, special purpose government reporting, and related notes to financial statements. In addition, the GASB is revisiting debt extinguishments, which includes a reexamination of GASB Statement Nos. 7, 23, and 62. We will share updates with you as they become available. Full lists of projects, as well as many resources, are available on GASB’s website which is located at www.gasb.org.

REQUIRED COMMUNICATIONS BY THE AUDITOR TO THOSE CHARGED WITH GOVERNANCE

Page 18

To the Marathon County Board of Supervisors and the Finance and Property Committee and Management Marathon County Wausau, Wisconsin Thank you for using Baker Tilly Virchow Krause, LLP as your auditor. We have completed our audit of the financial statements of Marathon County for the year ended December 31, 2015 and have issued our report thereon dated June 27, 2016. This letter presents communications required by our professional standards. OUR RESPONSIBILITY UNDER AUDITING STANDARDS GENERALLY ACCEPTED IN THE UNITED STATES OF AMERICA, GOVERNMENT AUDITING STANDARDS, THE UNIFORM GUIDANCE, AND THE STATE SINGLE AUDIT GUIDELINES The objective of a financial statement audit is the expression of an opinion on the financial statements. We conducted the audit in accordance with auditing standards generally accepted in the United States of America, Government Auditing Standards, OMB’s Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), and the State Single Audit Guidelines. These standards require that we plan and perform our audit to obtain reasonable, rather than absolute, assurance about whether the financial statements prepared by management with your oversight are free of material misstatement, whether caused by error or fraud. Our audit included examining, on a test basis, evidence supporting the amounts and disclosures in the financial statements, assessing accounting principles used and significant estimates made by management, and evaluating the overall financial statement presentation. Our audit does not relieve management or those charged with governance of their responsibilities. We considered the Marathon County’s internal control over financial reporting to determine the audit procedures that are appropriate in the circumstances for the purpose of expressing our opinions on the financial statements, but not for the purpose of expressing an opinion on the effectiveness of the Marathon County’s internal control over financial reporting. We will consider the internal control over compliance with types of requirements that could have a direct and material effect on a major federal and major state program to determine the audit procedures that are appropriate in the circumstances for the purpose of expressing an opinion on compliance for a major federal and state program and to test and report on internal control over compliance in accordance with the Uniform Guidance and the State Single Audit Guidelines, but not for the purpose of expressing an opinion on the effectiveness of internal control over compliance. As part of obtaining reasonable assurance about whether Marathon County’s financial statements are free of material misstatement, we performed tests of its compliance with certain provisions of laws, regulations, contracts and grant agreements, noncompliance with which could have a direct and material effect on the determination of financial statement amounts. However, providing an opinion on compliance with those provisions is not an objective of our audit. Also, in accordance with the Uniform Guidance and the State Single Audit Guidelines, we will examine, on a test basis, evidence about Marathon County’s compliance with the types of compliance requirements described in the OMB Compliance Supplement and the State Single Audit Guidelines that could have a direct and material effect on each of its major federal and state programs for the purpose of expressing an opinion on Marathon County’s compliance with those requirements. While our audit provides a reasonable basis for our opinion on compliance, it does not provide a legal determination on Marathon County’s compliance with those requirements. We will issue a separate document which contains the results of our audit procedures to comply with the Uniform Guidance and the State Single Audit Guidelines.

Baker Tilly Virchow Krause, LLP Ten Terrace Ct, PO Box 7398 Madison, WI 53707-7398 tel 608 249 6622 fax 608 249 8532 bakertilly.com

To the Marathon County Board of Supervisors and the Finance and Property Committee and Management Marathon County

Page 19

OTHER INFORMATION IN DOCUMENTS CONTAINING AUDITED FINANCIAL STATEMENTS

Our responsibility does not extend beyond the audited financial statements identified in this report. We do not have any obligation to and have not performed any procedures to corroborate other information contained in client prepared documents, such as official statements related to debt issues. PLANNED SCOPE AND TIMING OF THE AUDIT We performed the audit according to the planned scope and timing previously communicated to our letter about planning matters dated June 23, 2015 and our meeting with you on July 20, 2015. QUALITATIVE ASPECTS OF THE ENTITY’S SIGNIFICANT ACCOUNTING PRACTICES Accounting Policies

Management has the responsibility for selection and use of appropriate accounting policies. In accordance with the terms of our engagement letter, we will advise management about the appropriateness of accounting policies and their application. The significant accounting policies used by Marathon County are described in Note I to the financial statements. As described in Note I to the financial statements, Marathon County changed accounting policies related to financial reporting for pensions by adopting Statement of Governmental Accounting Standards (GASB) Statement No. 68, Accounting and Financial Reporting for Pensions – an Amendment of GASB Statement No. 27 and GASB Statement No. 71, Pension Transition for Contributions Made Subsequent to the Measurement Date – an Amendment of GASB Statement No. 68 in 2015. Accordingly, the accounting change has been retrospectively applied to prior periods presented as if the policy has always been used. We noted no transactions entered into by Marathon County during the year that were both significant and unusual, and of which, under professional standards, we are required to inform you, or transactions for which there is a lack of authoritative guidance or consensus. Accounting Estimates

Accounting estimates are an integral part of the financial statements prepared by management and are based on management's knowledge and experience about past and current events and assumptions about future events. Certain accounting estimates are particularly sensitive because of their significance to the financial statements and because of the possibility that future events affecting them may differ significantly from those expected. The most sensitive estimates affecting the financial statements were:

1. Management's estimate of the landfill closure and long-term care liabilities are engineering estimates of closure and post closure costs.

2. Management's estimate of the self insurance claims liability is based upon information provided to the County by its actuaries.

3. The estimate of the net pension asset and the deferred outflows and deferred inflows related to pensions, which impact the reported pension expense, are based upon information provided by the Wisconsin Retirement System.

4. Management’s estimate of depreciation expense is based upon estimated useful lives of the related capital asset.

We evaluated the key factors and assumptions used to develop all of these estimates in determining that they are reasonable in relation to the financial statements taken as a whole. Financial Statement Disclosures

The disclosures in the notes to the financial statements are neutral, consistent, and clear.

To the Marathon County Board of Supervisors and the Finance and Property Committee and Management Marathon County

Page 20

DIFFICULTIES ENCOUNTERED IN PERFORMING THE AUDIT We encountered no significant difficulties in dealing with management in performing our audit. CORRECTED AND UNCORRECTED MISSTATEMENTS Professional standards require us to accumulate all known and likely misstatement identified during the audit, other than those that are trivial, and communicate them to the appropriate level of management. In the prior year, $615,518 was not allocated to the business-type activities from the GASB No. 34 conversion entries eliminating the internal service funds. For the current year, $74,234 was not eliminated. This causes the governmental activities change in net position to be understated and the business-type activities change in net position to be overstated by $74,234 for the current year. The governmental activities expenses are overstated by $74,234 and the business-type activities are understated by the same amount. In addition, there is an unreconciled balance between the County’s general ledger and the County’s highway system of $102,958 for capital equipment. This results in the highway enterprise fund and the business-type activities assets and net position being understated by the same amount. An invoice for the landfill fund was underestimated at year end. The actual invoice was not received until late May by the County. This caused the liabilities and expenses to be understated by $197,102 for the landfill enterprise fund and the business-type activities. Management has determined that the effect of these items is immaterial to the financial statements taken as a whole. None of the misstatements detected as a result of audit procedures and corrected by management were material, either individually, or in the aggregate, to the financial statements taken as a whole. In addition, we prepared GASB No. 34 conversion entries which are summarized in the “Reconciliation of the Balance Sheet of Governmental Funds to the Statement of Net Position” and the “Reconciliation of the Statement of Revenues, Expenditures, and Changes in Fund Balances of Governmental Funds to the Statement of Activities” in the financial statements DISAGREEMENTS WITH MANAGEMENT For purposes of this letter, professional standards define a disagreement with management as a matter, whether or not resolved to our satisfaction, concerning a financial accounting, reporting, or auditing matter that could be significant to the financial statements or the auditors’ report. We are pleased to report that no such disagreements arose during the course of our audit. CONSULTATIONS WITH OTHER INDEPENDENT ACCOUNTANTS In some cases, management may decide to consult with other accountants about auditing and accounting matters. If a consultation involves application of an accounting principle to the governmental unit’s financial statements or a determination of the type of auditors’ opinion that may be expressed on those statements, our professional standards require the consulting accountant to check with us to determine that the consultant has all the relevant facts. To our knowledge, there were no such consultations with other accountants.

MANAGEMENT REPRESENTATIONS We have requested certain representations from management that are included in the management representation letter. This letter follows this required communication.

To the Marathon County Board of Supervisors and the Finance and Property Committee and Management Marathon County

Page 21

INDEPENDENCE We are not aware of any relationships between Baker Tilly Virchow Krause, LLP and Marathon County that, in our professional judgment, may reasonably be thought to bear on our independence. Relating to our audit of the financial statements of Marathon County for the year ended December 31, 2015, Baker Tilly Virchow Krause, LLP hereby confirms that we are, in our professional judgment, independent with respect to the County in accordance with the Code of Professional Conduct issued by the American Institute of Certified Public Accountants, and provided no services to the County other than audit services provided in connection with the audit of the current year’s financial statements and nonaudit services which in our judgment do not impair our independence.

Financial statement preparation Adjusting journal entries Tax 16 preparation

None of these nonaudit services constitute an audit under generally accepted auditing standards, including Government Auditing Standards. OTHER AUDIT FINDINGS OR ISSUES We generally discuss a variety of matters, including the application of accounting principles and auditing standards, with management each year prior to retention as Marathon County's auditors. However, these discussions occurred in the normal course of our professional relationship and our responses were not a condition to our retention. OTHER MATTERS We applied certain limited procedures to the required supplementary information (RSI) that supplements the basic financial statements. Our procedures consisted of inquiries of management regarding the methods of preparing the information and comparing the information for consistency with management’s responses to our inquiries, the basic financial statements, and other knowledge we obtained during our audit of the basic financial statements. We did not audit the RSI and do not express an opinion or provide any assurance on the RSI. We were engaged to report on the supplementary information which accompanies the financial statements but is not RSI. With respect to the supplementary information, we made certain inquiries of management and evaluated the form, content, and methods of preparing the information to determine that the information complies with accounting principles generally accepted in the United States of America, the method of preparing it has not changed from the prior period, and the information is appropriate and complete in relation to our audit of the financial statements. We compared and reconciled the supplementary information to the underlying accounting records used to prepare the financial statements or to the financial statements themselves. We were not engaged to report on the other information, which accompanies the financial statements but are not RSI. We did not audit or perform other procedures on this other information and we do not express an opinion or provide any assurance on it.